A landing zone is an Alibaba Cloud framework for planning and deploying resource structures, access control, networking, and security compliance. Agentic Cloud Governance Center uses blueprint templates and Resource Directory to streamline landing zone setup and multi-account management.
Landing zone setup process
Agentic Cloud Governance Center streamlines landing zone deployment:
-
Check account eligibility.
The system checks whether your logon account qualifies as a management account. Select a suitable management account based on the results. Check account eligibility.
-
Set up the landing zone.
-
Select a blueprint template.
Available templates are listed in Supported blueprints.
-
Configure setup items and parameters.
Available items are listed in Supported setup items.
-
Execute the setup task.
-
Supported blueprints
|
Blueprint |
Description |
|
Standard Blueprint |
A standard template for all enterprises. Includes Resource Directory, Core and Applications folders, a log archive account, a financial management account, CloudSSO, and compliance protection rules. These options adapt to existing configurations. After configuration, you can extend the template with advanced networking, security, and compliance features. |
|
Standard Blueprint (Cloud Enterprise Network) |
For enterprises with high requirements for network security, control, and cost efficiency. Extends the standard template with a CEN-based DMZ. CEN simplifies network configuration, while the DMZ centralizes traffic management to improve security and reduce costs. |
|
Cloud-native Blueprint |
For enterprises using cloud-native architecture. Extends the standard template with an enterprise-grade ACK Pro cluster in a specified account. The cluster includes load balancing, multi-zone deployment, and the required ACK management permissions. |
|
Finance Industry Blueprint |
For the finance industry. Extends the standard template with a CEN-based DMZ and compliance packages for the finance industry. |
|
Healthcare and Life Sciences Blueprint |
For pharmaceutical, biotechnology, and medical device enterprises, aligned with GxP EU standards. Extends the standard template with a CEN-based DMZ, service log delivery, and compliance packages for healthcare and life sciences. |
Supported setup items
|
Category |
Setup Item |
Description |
Activation Guide |
Recommended Deployment Account |
|
Resource planning |
Create a management account |
Creates a Resource Directory management account. |
Required |
Management account |
|
Resource planning |
Enable Resource Directory |
Enables Resource Directory (RD) to build an enterprise multi-account structure. |
Required |
Management account |
|
Resource planning |
Create folders |
Creates Core and Applications folders to separate management from business workloads. Folder names and structure are customizable. |
Required |
Management account |
|
Resource planning |
Create core accounts |
Creates or specifies core accounts for finance, logs, security, and shared services. Account separation ensures proper resource isolation for log delivery, networking, and security setup. |
Required |
Management account |
|
Resource planning |
Invite existing accounts |
Invites existing Alibaba Cloud accounts to join the resource directory. Invitations are emailed to account owners, expire after 12 hours, and must be resent from Resource Directory if not accepted. |
Optional |
Management account |
|
Identity and permissions |
Set up CloudSSO |
Enables CloudSSO with pre-configured access configurations, streamlining identity and permissions across multiple accounts. |
Recommended |
Management account |
|
Compliance audit |
Centralized log delivery for ActionTrail |
Delivers ActionTrail logs from multiple accounts to the log archive account. Supports delivery to OSS for long-term storage or SLS for real-time analysis. |
Recommended |
Log archive account |
|
Compliance audit |
Centralized log delivery for CloudConfig |
Delivers CloudConfig logs from multiple accounts to the log archive account. Supports delivery to OSS for long-term storage or SLS for real-time analysis. |
Recommended |
Log archive account |
|
Compliance audit |
Enable protection rules |
Configures CloudConfig protection rules to prevent modification of resources and configurations created by Agentic Cloud Governance Center. Compliance status is visible in the Agentic Cloud Governance Center or CloudConfig console. |
Required |
Management account |
|
Compliance audit |
Centralized delivery of service logs |
Delivers SLS-based runtime logs covering storage (OSS, NAS), networking (SLB, ALB, API Gateway, VPC), databases (ApsaraDB RDS, PolarDB-X 1.0, PolarDB), and security (WAF, Anti-DDoS, Cloud Firewall). |
Optional |
Log archive account |
|
Finance |
Set up finance trusteeship |
Configures the finance trusteeship method and financial management account for unified settlement. |
Recommended |
Financial management account |
|
Network |
Enable Cloud Enterprise Network |
Enables CEN to connect on-premises, cross-region, and multicloud networks. A DMZ setup after CEN is recommended for improved network security. |
Optional |
Shared service account |
|
O&M |
Enterprise-grade ACK cluster |
Sets up an enterprise-grade ACK Pro cluster with load balancing and multi-zone deployment in a specified account. |
Optional |
Any account |
Solutions library
The Solutions library provides design methodologies, best practices, and deployment code for cloud resource structure, access control, networking, compliance, and O&M.
Review relevant case studies before setting up your landing zone.
Expert service
Contact Alibaba Cloud experts through the expert service page for a customized IT governance solution.